June 2025 Infostealer Trend Report
This report provides statistics, trends, and case information on Infostealer malware including the distribution volume, distribution methods, and disguises based on the data collected and analyzed in June 2025. The following is a summary of the report.
1) Data Sources and Collection Methods
AhnLab SEcurity intelligence Center (ASEC) operates various systems that automatically collect malware in distribution to proactively defend against Infostealer threats. The collected malware is analyzed for maliciousness and C2 information through an automated analysis system. Relevant information is provided in real time through the ATIP IOC service and can also be found on the ATIP file analysis information page.
AhnLab Systems
- Automated collection system for malware disguised as cracks
- Email honeypot system
- Automated analysis system for malware C2
ATIP Real-Time IOC Service
C2 and Malware Type Analysis
- File Analysis Info – Related Info – Contacted URLs
Malware types are classified based on results from AhnLab’s sandbox, automated analysis systems, and product detection names. Downloader-type malware can be classified into two or more different types. The statistics regarding impersonated companies are based on version and certificate information used in malware. The threat actors used this information arbitrarily to make their malware appear as legitimate files. The companies mentioned have no connection to malware distribution.
The statistics in this report are intended to be used to identify trends in the distribution quantity, disguise techniques, and distribution methods of Infostealers.
2) Infostealers Disguised as Cracks
This section provides statistics on Infostealers distributed under the guise of illegal programs such as cracks and keygens. The malware is distributed using a strategy called SEO Poisoning, which ensures that malware distribution posts appear at the top of search engine results. ASEC has established a system to automatically collect and analyze C2 information of such malware in real time, blocking the malware’s C2 and providing related information through ATIP. Until now, LummaC2 has been the most widely distributed. But in June, various infostealers were spread, including LummaC2, Rhadamanthys, ACRStealer, Vidar, and StealC. In particular, a new variant of ACRStealer appeared and was spread widely.
Figure 1. Malware distribution pages
The graph below shows the quantity of malware distributed in this manner over the past year. The second legend indicates the number of malware with no related information on VirusTotal at the time of collection, meaning that they were collected by AhnLab first. This indicates that many of them were first collected and responded to by AhnLab’s automated collection system. In June, the number dropped sharply compared to last month. This seems to be because there are fewer cases of the LummaC2 Infostealer, which used to be widespread.
Graph 1. Annual malware distribution quantity
Previously, threat actors uploaded malware distribution posts on their own blogs, but search engines have begun preventing these malicious blogs from appearing in search results. As a result, detection numbers showed a decreasing trend, but now threat actors are bypassing this by posting distribution content on legitimate websites. They use popular forums, specific company Q&A pages, bulletin boards, and comment sections. The images below are examples of distribution posts uploaded to various online communities.
Figure 2. Distribution post on a legitimate site (RNLA homepage)
Figure 3. Distribution post on a legitimate site (SourceForge)
The daily malware collection statistics for June are as follows. Threat actors are continuously creating and distributing new malware, and there are specific dates when large amounts of malware are concentrated.
Trend #1
Many new variants of ACRStealer were distributed. ACRStealer is a MaaS-type Infostealer first identified in 2024. Samples of modified versions started to appear at the end of May, and they began to be widely distributed in June. The modified ACRStealer communicates with its C2 server using NT functions, which is different from before. It can also bypass security products during C2 communication by using HTTP host domain spoofing techniques. In addition, various anti-analysis techniques have been added, such as ntdll manual mapping and the Heaven’s Gate technique. Related information can be found in the ASEC Notes below. Currently, this is the most actively evolving Infostealer, so users should be careful.
- [ASEC Notes] Newly Modified ACRStealer Disguised as Illegal Tools
https://atip.ahnlab.com/intelligence/view?id=43ad6ef6-82e8-4b9c-8858-a70804163928
Figure 6. ACRStealer C2 communication records on VirusTotal (host domain spoofing)
Trend #2
An unusual type of malware was distributed using a different method than before. When the malware runs, an installer screen appears. If the user clicks the install button, the malware is copied to a specific location and set to run automatically.
Figure 7. Malware execution screen
- Malware Creation Path
C:\Program Files (x86)\Windows NT\TableTextService\svchost.exe - Automatic Execution Registry Path
HKCU\Software\Microsoft\Windows\CurrentVersion\Run [TableTextServiceStartup]
When the malware runs after reboot, it creates a window on top of the web browser that cannot be controlled. The window displays a message saying that a browser update is needed and prompts the user to click a button. Since it completely covers the browser window, the user cannot use or close the browser.
Figure 8. Window covering the web browser
When the update button is clicked, it redirects the user to a fake Opera browser download page, and clicking the download button downloads a file. At the time of analysis, a normal 7z installer was downloaded, but the threat actor may distribute malware at another time or under certain conditions.
Figure 9. Page opened when the button is clicked
Trend #3
Unlike previous types that included the password in the file name or a text file, many samples were distributed with the password in an image file. Threat actors are constantly trying to bypass security equipment or automated systems that can automatically decompress password-protected files, so users must be careful.
Figure 10. Password-protected compressed file with password in the image file
For more information on statistics not covered in this summary, statistics on the disguise target industries and original file names used in malware development, distribution, products detected, and Infostealer-related information from phishing emails, please refer to the full ATIP report.
